SynSaber CVE Report cover in front of interior pages

ICS Vulnerabilities and CVEs: Second Half of 2022

SynSaber researchers dug into the 920+ CVE Advisories released by CISA in the second half of 2022.  Our 12-page research report covers:

•  Who is reporting the majority of CVEs?
•  How many CVEs have a low probability of exploitation?
•  What remediations (if any) are available?
•  Overall, what percentage of reported CVEs actually matter to those in critical infrastructure?
•  Did the CVEs reported in the second half of 2022 different from those reported in the first half?

👓 Reviewing ICS Vulnerabilities
Through a Different Lens

With increased discussion around ICS vulnerabilities, we wondered: What could be discovered if we looked at reported Common Vulnerabilities and Exposures (CVEs) from a different perspective? What questions could be answered from the 920+ CVEs reported via the Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the second half of 2022? With our curiosity peaked, SynSaber researchers went to work.

industrial worker surveying laptop

🌳 CVE Can’t Be Patched in the Forest
Does it Make an Exploitable Sound?

The sheer volume of reported ICS vulnerabilities & CVEs may cause critical infrastructure asset owners to feel overwhelmed, or not know where best to begin. But the figures seem less daunting when we understand what percentage of CVEs are pertinent and actionable, vs. which will remain “forever-day” vulnerabilities, at least for the time being.

Here’s a sneak peek of some CVE stats you’ll find in the Report:

• 35% have no patch or remediation currently available (was 13% first half ’22)

• 56% were reported by OEMs, and 43% by security vendors & independent researchers

• 28% require local or physical access to the system in order to exploit (was 23% first half ’22)

• 22% can and should be prioritized & addressed first, with organization & vendor planning